Академический Документы
Профессиональный Документы
Культура Документы
Topology
Assessment Objectives
Part 1: Verify Network Connectivity (1 points, 5 minutes)
Part 2: Configure Secure Router Administrative Access (17 points, 15 minutes)
Part 3: Configure a Zone-Based Policy Firewall (14 points, 10 minutes)
Part 4: Secure Layer 2 Switches (22 points, 20 minutes)
Part 5: Configure ASA Basic Management and Firewall Settings (18 points, 15 minutes)
Part 6: Configure a Site-To-Site IPsec VPN (28 points, 25 minutes)
Scenario
This Skills Assessment (SA) is the final practical exam of student training for the CCNA Security course. The
exam is divided into six parts. The parts should be completed sequentially and signed off by your instructor
© 2015 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 9 www.netacad.com
CCNA Security Skills Assessment Using ASA 5506-X– Form B
before moving on to the next part. In Part 1 you will verify that the basic device settings have been
preconfigured by the instructor. In Part 2, you will secure a network router using the command-line interface
(CLI) to configure various IOS features including AAA and SSH. In Part 3, you will configure zone-based
policy firewall (ZPF) on an integrated service router (ISR) using the CLI. In Part 4, you will configure and
secure Layer 2 switches using the CLI. In Part 5, you will configure the ASA management and firewall settings
using the CLI. In Part 6, you will configure a site-to-site IPsec VPN between R3 and the ASA using the CLI
and ASDM.
Required Resources
2 Routers (Cisco 1941 with Cisco IOS Release 15.4(3)M2 image with a Security Technology Package
license)
3 Switches (Cisco 2960 with cryptography IOS image for SSH support – Release 15.0(2)SE7 or
comparable)
1 ASA 5506-X (OS version 9.10(1) and ASDM version 7.10(1) and Base license or comparable)
3 PCs (Windows, SSH Client and Java version compatible with installed ASDM version)
Console cable to configure the Cisco IOS devices via the console ports
Ethernet and Serial cables as shown in the topology
Ping the G0/1 interface on R3 from PC-C. See Topology for specific settings. 1/2
Ping the S0/0/1 interface on R1 from R3. See Topology for specific settings. 1/2
© 2015 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 9 www.netacad.com
CCNA Security Skills Assessment Using ASA 5506-X– Form B
Username: Admin01
Add a user in the local database for Privilege level: 15
1
administrator access Encryption type: 9 (scrypt)
Password: admin01pass
Configure MOTD banner. Unauthorized Access is Prohibited! 1/2
Disable HTTP server services. 1/2
Domain name: ccnassecurity.com
RSA Keys size: 1024
Configure SSH. Version: 2 4
Timeout: 90 seconds
Authentication retries: 2
Configure VTY lines to allow SSH access. Allow only SSH access. 1
Note: Before proceeding to Part 3, ask your instructor to verify R3’s configuration and functionality.
Instructor Sign-Off Part 2: ______________________
Points: _________ of 17
© 2015 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 9 www.netacad.com
CCNA Security Skills Assessment Using ASA 5506-X– Form B
Switch: S2
Assign and encrypt a privileged EXEC
Password: cisco12345. 1/2
password.
Encryption type: 9 (scrypt)
Switch: S2
Username: Admin01
Add a user in the local database for
Privilege level: 15 1
administrator access
Encryption type: 9 (scrypt)
Password: admin01pass
Switch: S2
Configure MOTD banner. 1/2
Banner: Unauthorized Access is Prohibited!
© 2015 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 9 www.netacad.com
CCNA Security Skills Assessment Using ASA 5506-X– Form B
© 2015 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 9 www.netacad.com
CCNA Security Skills Assessment Using ASA 5506-X– Form B
NETLAB+ Note: Use a Maximum limit of 2 when configuring basic port security. Otherwise, the hidden
Control Switch will cause a violation to occur and the port will be shutdown.
Troubleshoot as necessary to correct any issues discovered.
Note: Before proceeding to Part 5, ask your instructor to verify your switch configuration and functionality.
Instructor Sign-Off Part 4: ______________________
Points: _________ of 22
© 2015 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 9 www.netacad.com
CCNA Security Skills Assessment Using ASA 5506-X– Form B
Enable IKE. 1
ISAKMP Policy Priority: 1
Authentication type: pre-share
Create an ISAKMP policy. Encryption: 3des 5
Hash algorithm: sha
Diffie-Hellman Group Key Exchange: 2
Preshare key: ciscopreshare
Configure the pre-shared key. 2
Address: 209.165.200.226
Tag: TRNSFRM-SET
Configure the IPsec transform set. ESP transform: ESP_3DES 3
Hash function: ESP_SHA_HMAC
ACL: 101
Define interesting traffic. Source Network: 172.30.3.0 0.0.0.255 1
Destination Network: 192.168.10.0 0.0.0.255
© 2015 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 9 www.netacad.com
CCNA Security Skills Assessment Using ASA 5506-X– Form B
Connection: HTTPS
IP Address: 192.168.10.1
Use a browser on PC-B, connect to the
Username: Admin01 2
ASA, and run ASDM.
Password: admin01pass
Note: You will need to accept all security messages.
Peer IP Address: 209.165.200.234
VPN Access Interface: outside
Use the Site-to-site VPN Wizard to Local Network: inside-network/24
configure the site-to-site VPN settings 5
on the ASA. Remote Network: 172.30.3.0/24
Pre-shared Key: ciscopreshare
Exempt ASA side/host network from NAT: Enable
This should generate interesting traffic and start site-to-
Ping PC-B from PC-C. 1/2
site VPN.
Ping PC-C from PC-B. 1/2
Display the ISAKMP and IPsec SAs on
1
R3.
Verify that a site-to-site session has
been established using ASDM from 1
PC-B.
© 2015 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 9 www.netacad.com
CCNA Security Skills Assessment Using ASA 5506-X– Form B
Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(F0/0) (F0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/0/1)
(F0/0) (F0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(F0/0) (F0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.
© 2015 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 9 www.netacad.com